Public bug reported:
Because of bug 1647285 I need to install corporate SSL CAs into the
database of each NSS-using application individually. Unfortunately it
doesn't seem to work for Firefox. Not only does Firefox ship with its
*own* version of NSS instead using the system's version, but it even
seems to be configured very differently.
Firefox appears to use the legacy Berkeley DB database for its softokn,
in key3.db/cert8.db. However, the system's certutil won't work with that
legacy format:
$ certutil -d ~/.mozilla/firefox/default.default/ -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
database is in an old, unsupported format.
I can force it to use the SQL database in key4.db/cert9.db by running
with NSS_DEFAULT_DB_TYPE=sql, and then I *can* install trusted CAs with
certutil. But actually, it's much simpler to just make a symlink from
firefox's own special copy of the SSL trust roots in libnssckbi.so, to
the system's p11-kit-trust.so — thus making Firefox honour the system
trust configuration.
** Affects: firefox (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1648616
Title:
Firefox uses its own version of NSS, incompatible with system version
Status in firefox package in Ubuntu:
New
Bug description:
Because of bug 1647285 I need to install corporate SSL CAs into the
database of each NSS-using application individually. Unfortunately it
doesn't seem to work for Firefox. Not only does Firefox ship with its
*own* version of NSS instead using the system's version, but it even
seems to be configured very differently.
Firefox appears to use the legacy Berkeley DB database for its
softokn, in key3.db/cert8.db. However, the system's certutil won't
work with that legacy format:
$ certutil -d ~/.mozilla/firefox/default.default/ -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
database is in an old, unsupported format.
I can force it to use the SQL database in key4.db/cert9.db by running
with NSS_DEFAULT_DB_TYPE=sql, and then I *can* install trusted CAs
with certutil. But actually, it's much simpler to just make a symlink
from firefox's own special copy of the SSL trust roots in
libnssckbi.so, to the system's p11-kit-trust.so — thus making Firefox
honour the system trust configuration.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1648616/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
